Posted
by
Soulskill
on Sunday April 25, 2010 @11:22AM
from the army-of-pokes dept.

Sir Codelot writes "A hacker who calls himself Kirllos has obtained and is now offering to sell 1.5 million Facebook IDs at astonishingly low prices — $25 per 1,000 IDs for users with fewer than 10 friends and $45 per 1,000 IDs for users with more than 10 friends. Looking at the numbers, Kirllos has stolen the IDs of one out of every 300 Facebook users. Quoting: 'VeriSign director of cyber intelligence Rick Howard told the New York Times that it appeared close to 700,000 had already been sold. Kirllos would have earned at least $25,000 from the scam. Howard told the newspaper that it was not apparent whether the accounts and passwords were legitimate, but a Russian underground hacking magazine reported it had tested some of Kirllos' previous samples and managed to get into people's accounts.'"

The wonderful thing about his product though, is that he can keep selling it even after he has sold it.

He doesn't have 1.5 million accounts to sell once, he has 1.5 million accounts to sell over and over and over. He may only be able to get $50k for the lot, but he can sell them all a dozen times. Depending on if they catch him or not, and how effective they are at getting people to change their passwords (the only way to make the accounts worthless), this guy could make half a million dollars or more pretty easily.

Actually... what this means is that you should change your banking passwords.

Do any banks actually use ordinary password authentication? My bank has provided me with a Digipass, a small device with a numeric keypad, where I enter my PIN, select an authentication mode, input a challenge (a couple of randomly generated bank-provided numbers) and when confirming transfer orders, an amount. The device then displays a string of digits, which I enter into the bank login page. Using ordinary passwords seem pretty insecure in comparison.

Honestly, E*Trade is pretty much the only one I can think of off the top of my head that uses something like that. Pretty much every bank in the country just uses simple passwords with verification questions. And an astonishing number don't bother to make their home page load via SSl.

The main reason being that they aren't generally held accountable for breaches that may occur due to their own lax security measures. In relative recent history it was still relatively common for ID thieves to be able to get lots of material dumpster diving. As well as for companies like TD Ameritrade to fail to notice that they'd been haxxored.

Mostly it's a side effect of the conservative's personal responsibility fetish. Basically make everything the fault of the victim even if it's clearly not their fault.

Probably because unlike in the US, Russia seems to turn a completely blind eye to cyber criminals. Granted we don't do such a good job ourselves, but we do look for them and prosecute them when found. It's rich that a country with a very serious problem with organized crime would even pretend like there's no justification for pointing a finger back at the lack of enforcement.

Yes, but that would make the accounts worthless pretty quickly. The "value" of the account is that both the buyer and the actual account owner know the password. So it looks like a completely legitimate thing when the buyer (pretending to be the actual account owner) sends messages to the account owners "friends" asking them to go to certain sites, run certain "cool" programs, etc. The value goes down pretty quickly if the original owner is locked out by a password change and tells all their "friends" that they can't get in to Facebook anymore and had to make a new account. It makes any messages coming from that old account pretty suspicious even to the average idiot user.

facebook today told me: "your account was accessed from an unusual place and has been blocked." then i had to do all sorts of things to prove i'm human and it told me to create a new password. i created such a strong password that i have forgotten it. now will have to change it again.

Some New Zealand guy found his account on a list that was published earlier by the hacker, sure he may be complicit in the fraud, but then that wouldn't explain why the Russian hacker magazine didn't notice anything special about those accounts, such as a lack of messages. Also I would assume that FB has some mechanisms in place for preventing one IP to be used for signing up several hundred times, so he would have to use stuff like a bot net, and a captcha breaker anyway. So creating 1.5M fake accounts wouldn't turn out much easier than just phishing, brute-forcing, or whatever.

Here in Finland, banks usually provide you with a list of ~50-100 one-time use codes, so it's basically impossible to figure out the next code unless you manage to find some pattern in the random digit generator that the banks use to generate those one-time codes. To me this seems even more secure than using those keypads that most other european countries seem to be using. The only way I can concieve this to be hacked is to figure out what someone's userid is (random generated string, i.e. basically a traditional password), and then intercept their snail mail when they get their fresh set of one-time codes.

the only way I can conceive this to be hacked...
Always a dangerous statement - just because you can't think of an attack doesn't mean there isn't one.

You are correct that no one is going to guess the next one-time password. Instead, they are going to attack your machine, and piggyback on your session after you have logged in. This is happening in the wild today, although it's mostly aimed at larger commercial accounts.

Those keypads are more secure because they can be used to enter unique data for each transaction, like the amount of a transfer. Plus, they aren't connected to a network, so remote hacks are blocked. The keypad's generated code will definitively prove that the holder of the device entered the transaction data(*).